This parameter are sent to AP in a secure manner and stored in flash as part of the environment variable.

When dot1x AP boots up from flash, it starts SAPD, which initiates wpa-supplicant process.

Typically AP’s point of attachment (switchport where AP is connected - authenticator) initiates authentication and then whole 802.1x auth will happen where AP will provide its username and password, which will be checked against RADIUS server.

Once authentication is successful, RADIUS server sends a control message to the authenticator (switch port), which will make port authorized (from uncontrollerd to controlled port) for the AP’s MAC address and communication can commence.

AP will get IP address through DHCP server or static assignment. AP will communicate to the master controller and will come up on it.